Equifax Underestimated by 2.5 Million the Number of Potential Breach Victims

Equifax has revised its estimate for the number of people potentially affected by its recent massive data breach to a total of 145.5 million people, 2.5 million more than it initially reported.

One of three main credit reporting agencies in the U.S. next to Experian and TransUnion, Equifax (efx) stores a trove of highly sensitive personal and financial details about consumers. From mid-May through July, an as yet unidentified hacker group gained access to a large swathe of this data—including names, birthdates, street addresses, credit card numbers, and Social Security numbers—the company disclosed last month.

Equifax released the new estimate on Monday, a day after Mandiant, the computer forensics division of the cybersecurity firm FireEye (feye) that Equifax hired, completed its full review of the damage. Despite the higher figure, Equifax said that Mandiant “did not identify any evidence of additional or new attacker activity or any access to new databases or tables.”

Equifax said Mandiant also found no evidence of unauthorized activity on databases located outside of the United States.

“I want to apologize again to all impacted consumers,” Paulino do Rego Barros, Jr., Equifax’s newly appointed interim CEO, said in a statement. “As this important phase of our work is now completed, we continue to take numerous steps to review and enhance our cybersecurity practices. We also continue to work closely with our internal team and outside advisors to implement and accelerate long-term security improvements.”

Equifax said that while it initially warned that data on about 100,000 Canadians may have been exposed, it has now revised that number down to 8,000 potential Canadian victims. The company said it would notify them through the mail.

Equifax’s board said it is investigating other members of its executive team, including its chief financial officer and general counsel, for selling stock after the breach’s discovery, but before its public disclosure. A number of lawsuits have been filed against the company for allegedly mishandling people’s data.

Equifax has recommended that consumers enter some identifying details into a website it set up in the aftermath of the hack to determine whether they were affected. The company said it would update the database with the names of the additional millions of potentially affected consumers by Oct. 8.